Virus or not (Adobe Reader) ???

Hi, I just got a new computer, did my first Avast-scan and already detected 2 viruses ??
I did not just go online with the new machine. At first, downloaded programs on different computer (bug-free, runing with Avast also), scanned them, then transferred them to the new comp and installed them.
Protection consists of: ZoneAlarm Firewall, Avast, Spybot, AdAware, SuperAntiSpyware, MalawareBytes on both machines. Apart from Avast, only Spybot found some tracking cookies, the other programs did not find anything. Avast detected the following:

C:\System Volume Information_restore{B991F27A-883F-42A9-A172-EAAB1D37FFA}\RP20\A0005047.exe
C:\Dokumente und Einstellungen\notebook\Eigene Dateien\Programm-exes\AdbeRdr90_de.exe

both files were generated at exactly the same second, so I suppose they both somehow belong to the Adobe Reader.

Now, apart from me wondering why on earth this is now malware if it wasn’t when I downloaded and installed it (with Avast already running on both computers !), I have the following problems:
The first virus, I don’t seem to be able to even find. (I cannot find the “System Volume Information” - folder neither in Explorer nor through the search-function ???), so can neither send it to Avast nor have it looked at by Virustotal.
The second one I can find, and on my hard-drive (in Explorer), it shows the usual size. but when trying to send it either to Avast or to Virustotal, I get the message that the folder is empty / 0 bytes received ?? (This is before I moved it to the chest) ???
Would anyone please be able to help ?? Is it somehow possible to send the files off to Virustotal directly from the chest ?? I’ve gone into the Avast-Program Folder in Windows-Explorer, but all I find under “chest” are numeric entries 000000001, 000000002 - I assume these are days ??? But don’t know how to open them. I have tried sending both files to Avast directly from the chest, but heaven knows if that worked … ?

I have left the files in the chest for now. I have not had any error messages, but then: I have not even started working with this computer. So I could not even tell if it is running as usual, or if there are any hickups (I am still even just trying to figure XP out - coming from W2k and trying to get it to do what I want…).

Should I just deinstall the Adobe Reader and see if that gets rid of the problem ? Or would that only be a “cosmetic fix” should this be anything serious ???

I’d really really appreciate your help. My alternative is to abort doing everything I am doing and start installing this computer from scratch (oh boy !).

Thanks heaps +++ for any input.
Sydney

The first one is in your system restore,by turning SR off this will erase all restore points and anything in them.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.( courtesy of DavidR)
http://www.virustotal.com/

Hi Sydney,

This could be a generic find of Adclicker.Trojan, but first establish at virustotal whether the file is flagged by various scanners.

Description: Trojan.Adclicker is a trojan that will produce pop-up advertisements when you are on the internet and embed banner ads in the web pages you are viewing. Type: TT_Trojan Also known as: Adware.Hiu.c AdWare.Win32.Agent.ak [Kaspersky] AdWare.Win32.Age When Trojan.Adclicker is executed, it does the following:
  1. Copies itself to your computer, often to the Windows or System folder.

  2. Sends HTTP requests to various Web sites. The request typically takes the form of an HTTP GET request, with the Referer field set to a Web site, which the Trojan’s author controls.

  3. Depending on the variant, the Trojan may also do the following:
    * Add a value:

      "<any value>"="<the location of the trojan>"
    
      to one of the registry keys:
    
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    
    
      so that the Trojan runs when you start Windows.
    
    * Dynamically update itself by downloading new versions over the Internet.
    * Send email notification to its creator when it is executed,</blockquote>
    

polonus

BINGO !!!

  • Turned the system restore off, as advised. Just in case someone else needs to do this in XP, here are the steps:

Manual steps to turn off or turn on System Restore in Windows XP
Steps to turn off System Restore

  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System
    Restore on all drives check box.
  4. Click OK.
  5. When you receive the following message, click Yes to confirm that you want to turn off System
    Restore:
    You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
    Do you want to turn off System Restore?
    After a few moments, the System Properties dialog box closes.
    Steps to turn on System Restore
  6. Click Start, right-click My Computer, and then click Properties.
  7. In the System Properties dialog box, click the System Restore tab.
  8. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
  9. Click OK.
    After a few moments, the System Properties dialog box closes

  • then extracted the file from chest to C: as advised and sent it to virustotal (and to Avast Tech support):

MD5: e22d08fa42d4debfceb9e50879452c5e
First received: 10.22.2008 17:58:18 (CET)
Date: 10.24.2008 16:53:59 (CET) [>2D]
Results: 11/36
Permalink: analisis/21241594d776175d96d63776578770f3

Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.24 Win-Trojan/Agent.68608.BH
AntiVir 7.9.0.7 2008.10.24 ADSPY/ConsumB.A
Authentium 5.1.0.4 2008.10.24 -
Avast 4.8.1248.0 2008.10.24 -
AVG 8.0.0.161 2008.10.24 Downloader.Agent.ANSV
BitDefender 7.2 2008.10.24 -
CAT-QuickHeal 9.50 2008.10.24 TrojanDownloader.Agent.akfv
ClamAV 0.93.1 2008.10.24 -
DrWeb 4.44.0.09170 2008.10.24 -
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6167 2008.10.24 -
Ewido 4.0 2008.10.24 -
F-Prot 4.4.4.56 2008.10.24 -
F-Secure 8.0.14332.0 2008.10.24 Trojan-Downloader.Win32.Agent.akfv
Fortinet 3.113.0.0 2008.10.24 W32/Agent.AKFV!tr.dldr
GData 19 2008.10.24 -
Ikarus T3.1.1.44.0 2008.10.24 not-a-virus:AdWare.Win32.Stud.d
K7AntiVirus 7.10.506 2008.10.24 -
Kaspersky 7.0.0.125 2008.10.24 Trojan-Downloader.Win32.Agent.akfv
McAfee 5414 2008.10.24 -
Microsoft 1.4005 2008.10.24 Adware:Win32/FakeFlash
NOD32 3552 2008.10.24 -
Norman 5.80.02 2008.10.23 -
Panda 9.0.0.4 2008.10.24 -
PCTools 4.4.2.0 2008.10.24 -
Prevx1 V2 2008.10.24 -
Rising 21.00.42.00 2008.10.24 -
SecureWeb-Gateway 6.7.6 2008.10.24 Ad-Spyware.ConsumB.A
Sophos 4.34.0 2008.10.24 -
Sunbelt 3.1.1749.1 2008.10.23 -
Symantec 10 2008.10.24 -
TheHacker 6.3.1.0.126 2008.10.23 -
TrendMicro 8.700.0.1004 2008.10.24 PAK_Generic.001
VBA32 3.12.8.8 2008.10.22 -
ViRobot 2008.10.24.1436 2008.10.24 -
VirusBuster 4.5.11.0 2008.10.23 -

Thanks heaps so far, but where to from now ??
Sydney

P.S. Just realized that the last line of my first post went missing:
(Windows XP SP2, Avast 4.8, File Version 081025-1 from 25 Oct 08, Core 2 Duo, 2.4 GHz, 3 GB RAM)

You got too much protection. Only keep one Antispyware.

I also suggest you try Revo Uninstaller.

Have tried FoxIt Reader 2.3?

Done. Please see 1st post. (Nil found, still detected by Avast). Thanks.

Re: sending the file to Avast: gotta correct myself. As I hit the “send” button (after posting), of course, I got the virus warning again & could not send it…

Taylor, your post keeps changing… I already have Foxit Reader, thanks.
I got Malawarebytes and Spybot on top of the other two in spring/early summer, when it was suggested to get those two in this forum here (please see my other topic).
I hate Spybot - it causes a lot of interference with all sorts of things. But seems to offer a better real-time protection than AdAware.
Why did you suggest the uninstaller ? I don’t have any probs uninstalling programs… Thx.

Still wondering what to do now ???

Did you create a folder,and exclude it in the standard shield ? Have you tried a boot time scan, also why don’t you post a HijackThis log

http://www.digitalred.com/avast-boot-time.php

http://www.filehippo.com/download_hijackthis/

Yeah, I attached the file to that mail exactly like I sent it to Virustotal. Virustotal obviously wasn’t a problem, but when wanting to send that e-mail off (with the file attached from the Suspect-folder), that Avast-warning screen came up, warning me that I am sending a Trojan and suggesting to abort sending the e-mail.
I’ll do the boot-scan next, but that will take a while I guess. Will post with results.

O.k. so I’ve done the boot-time scan and of course my created “suspect”-file was detected and moved to chest. And that was it. Does that mean that I can simply delete that AdobeRd.exe-file that I have in the chest and that’s it ??? Why would I do a hijack-this scan ???
Syd.
P.S. I hate those automatic smileys - these were just question-marks !!!

Unfortunately,these things have a habit of returning.Leave whats in the chest,no need to delete.The HJT program is very quick.Please post one.Copy and paste the results.

Boy, you are right, that IS quick:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:53, on 27.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
c:\programme\lenovo\system update\suservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe

Is this what you’re after ?

Sorry, I was too quick. Here is the second part:
(cannot post all at once cause message exceeds character limit).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tagesschau.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM..\Run: [TPFNF7] C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM..\Run: [TpShocks] TpShocks.exe
O4 - HKLM..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [AwaySch] C:\Programme\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM..\Run: [trueImageMonitor.exe] C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe”
O4 - HKLM..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM..\Run: [DiskeeperSystray] “C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe”
O4 - HKLM..\Run: [cssauth] “C:\Programme\Lenovo\Client Security Solution\cssauth.exe” silent
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOKALER DIENST’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETZWERKDIENST’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Digital Line Detect.lnk = C:\Programme\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE

3rd part:

O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät… - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra ‘Tools’ menuitem: ThinkVantage Password Manager… - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 13822 bytes

Well, I posted your log on HijackThis.de, and its looks clean.Have you still got system restore turned off,if so leave it off,do another scan with Avast,and see if it finds anything.I only had a very quick look at your log,as I busy painting.Will have a better look later ( not for threats )

Micky, thorough scan with system restore turned off revealed no threats.
So I guess I could delete the files from the virus chest ?
Also, what I found on this new comp. is that the Avast scan results show a lot of password-protected archives, although I have not installed ANY passwords (as yet). Any idea what this could be - and more importantly: do I need to do anything about it ? The vast majority of the files start with:
C\SWTOOLS\APPS\rnr\ I guess this could be preboot or system files of some sort ??
Plus, there are some files from SuperAntiSpyware as well…

Out of the 4 Anti-spyware programs I am running (Spybot, AdAware, SuperAntiSpyware, MalawareBytes), which ones should I get rid of in your opinion ?

Thanks so much for your help, I’ll watch out for your reply, but might have to hit the sack at some stage…

Wish I could help you painting in return (much better at that than with computers… :))
Syd.

Well things sound ok,turn system restore back on, and create a restore point. I’m still up to neck in emulsion. A quick google,seems to suggest the password protected files,might be something to do with IBM (DRIVERS)rescue and recovery utility.Will have another look later.Definately keep MBAM and SAS.

Created the restore point. Could have googled myself - silly me. Not trying to keep you busy on purpose…
Hope you’re not pink with green dots…